Академический Документы
Профессиональный Документы
Культура Документы
Introduction
The Solaris kernel provides a great deal of user-configurable control over the system
TCP/IP stack. Everything from cache table lifetimes to the number of TCP connections
that the system can address are controllable. However, without understanding the
underlying need for tuning these kernel parameters many system administrators
choose to ignore them - thereby leaving their systems vulnerable to a resourceful
assailant.
The only tool available to Solaris system administrators for tuning kernel parameters is
ndd. Currently, ndd only supports the TCP/IP kernel drivers. It can be used to both
show and set the values of parameters for these drivers.
SYN ------------------------------->
(Sequence #: X)
<------------------------------ SYN-ACK
(Sequence #: X+1, Sequence
#: Y)
ACK ------------------------------->
(Sequence #: Y+1)
The abuse can occur when the destination host has responded to the sender with a
SYN-ACK but does not receive an ACK back from the sending host. This then leaves
the destination host connection in a "half-open" state. The source host then opens a
new TCP connection with the destination host and repeats the process. This process
continues until all possible TCP socket connections that the destination host can
handle are in the "half-open" state. Once this happens, no further TCP SYN packets
can be processed by the target until the "half-open" connections are removed from the
TCP connection queue.
One way to determine if a Solaris system is under a TCP SYN attack would be to
monitor the number of TCP connections in a SYN_RCVD state:
# netstat -an -f inet | grep SYN_RCVD | wc -l
This value can be compared to a baseline value taken when the machine is running
under normal circumstances. Solaris provides another way to determine if a machine is
under a TCP SYN attack. By running the command:
# netstat -s -P tcp
and inspecting the values of the parameters tcpTimRetransDrop and tcpListenDrop a
TCP SYN attack can be identified. The parameter tcpTimRetransDrop shows the
number of aborts since boot time due to abort time expirations. This value includes
both the SYN requests as well as established TCP connections.
The parameter tcpListenDrop shows the number of SYN requests that have been
refused since the system was booted because of a TCP queue backlog. There is a
high probability that the system is under a TCP SYN attack if the tcpListenDrop value
increases quickly along with the value of tcpTimRetransDrop.
To offset such an attack the administrator must do two things:
To shorten the abort timer the kernel parameter: tcp_ip_abort_cinterval can be used.
The value for this parameter is given in milliseconds. By default the abort timer interval
is 180 seconds. To set the abort time to 60 seconds the system administrator can use
the command:
# ndd -set /dev/tcp tcp_ip_abort_cinterval 60000
The kernel parameter tcp_conn_req_max_q0 controls the queue size for unestablished
TCP connections in Solaris 2.6 and above (or in Solaris 2.5.1 w ith patch 103581-11).
The default value for tcp_conn_req_max_q0 is 1024. To increase the queue size the
following command can be used:
# ndd -set /dev/tcp tcp_conn_req_max_q0 2048
Another type of SYN attack involves exhausting the TCP established connection
queue. This attack is not as desirable as the TCP SYN attack mentioned above
because of the fact that the connection can be traced back to its source, however, it
still presents a problem. Solaris 2.6 and above (as well as Solaris 2.5.1 with patch
103582-11) provide control over the size of the established TCP connection queue.
This control is provided by the kernel parameter tcp_conn_req_max_q. By default it is
set at 128. To increase the established TCP connection queue, the command is:
# ndd -set /dev/tcp tcp_conn_req_max_q <size>
where <size> is the total number of active, established, TCP connections allowed to
the host. Increasing either the TCP queue for unestablished connections or the TCP
queue for established connections will require more memory. Without sufficient
memory the server's performance will be affected. Also, while this provides some
measure of relief against TCP SYN attacks and TCP established connection
exhaustion attacks these types of attacks depend on which side has more resources. If
the attacker can produce more TCP connections (whether "half-open" or established)
than the server can possibly handle this denial of service will succeed.
Conclusion
The Solaris kernel has many configurable parameters that are security related. These
parameters can be adjusted to strengthen the security posture of a system. The
parameters cover such things as ARP timeouts, IP forwarding of packets, IP source
routing of packets, TCP connection queue sizes, and many other factors governing
network connections. By tuning the kernel properly a system administrator can even
prevent OS fingerprinting of a Solaris system as provided by such tools as queso and
nmap.
Relevant Links